Windows, Android malware spread in massive typosquatting campaign

BleepingComputer reports that more than 200 domains have been leveraged in a new massive typosquatting campaign spoofing 27 different brands to distribute Windows and Android malware. Widely-used Android app stores, including Google Play, APKPure, and APKCombo, as well as TikTok, VidMate, PayPal, and Snapchat download portals have been mimicked by the domains in an effort to deliver the ERMAC banking trojan, which targets 467 banking and cryptocurrency apps, according to a report from Cyble. Meanwhile, more than 27 popular brands were discovered by BleepingComputer to have been used in a much wider typosquatting campaign by the same attackers, which sought to deploy Windows and Android malware, as well as exfiltrate cryptocurrency recovery keys. BleepingComputer found that a typosquat site for the popular Notepad++ text editor enables installation of the Vidar Stealer malware. Vidar Stealer is also deployed by typosquatted Thunderbird, Microsoft Visual Studio Core, and Brave browser sites. Meanwhile, the fake Tor Project site facilitates deployment of the Agent Tesla keylogger and remote access trojan.